diff --git a/cmd/root.go b/cmd/root.go index 48d5cd4..f962978 100644 --- a/cmd/root.go +++ b/cmd/root.go @@ -154,13 +154,17 @@ func initConfigFromEnv() { // UI config.UIAuthFile = os.Getenv("MP_UI_AUTH_FILE") - auth.SetUIAuth(os.Getenv("MP_UI_AUTH")) + if err := auth.SetUIAuth(os.Getenv("MP_UI_AUTH")); err != nil { + logger.Log().Errorf(err.Error()) + } config.UITLSCert = os.Getenv("MP_UI_TLS_CERT") config.UITLSKey = os.Getenv("MP_UI_TLS_KEY") // SMTP config.SMTPAuthFile = os.Getenv("MP_SMTP_AUTH_FILE") - auth.SetSMTPAuth(os.Getenv("MP_SMTP_AUTH")) + if err := auth.SetSMTPAuth(os.Getenv("MP_SMTP_AUTH")); err != nil { + logger.Log().Errorf(err.Error()) + } config.SMTPTLSCert = os.Getenv("MP_SMTP_TLS_CERT") config.SMTPTLSKey = os.Getenv("MP_SMTP_TLS_KEY") if getEnabledFromEnv("MP_SMTP_TLS_REQUIRED") { diff --git a/config/config.go b/config/config.go index 59639b2..9b5ad8c 100644 --- a/config/config.go +++ b/config/config.go @@ -179,13 +179,17 @@ func VerifyConfig() error { } if UIAuthFile != "" { + UIAuthFile = filepath.Clean(UIAuthFile) + if !isFile(UIAuthFile) { return fmt.Errorf("[ui] HTTP password file not found: %s", UIAuthFile) } + b, err := os.ReadFile(UIAuthFile) if err != nil { return err } + if err := auth.SetUIAuth(string(b)); err != nil { return err } @@ -196,6 +200,8 @@ func VerifyConfig() error { } if UITLSCert != "" { + UITLSCert = filepath.Clean(UITLSCert) + if !isFile(UITLSCert) { return fmt.Errorf("[ui] TLS certificate not found: %s", UITLSCert) } @@ -210,6 +216,8 @@ func VerifyConfig() error { } if SMTPTLSCert != "" { + SMTPTLSCert = filepath.Clean(SMTPTLSCert) + if !isFile(SMTPTLSCert) { return fmt.Errorf("[smtp] TLS certificate not found: %s", SMTPTLSCert) } @@ -226,6 +234,8 @@ func VerifyConfig() error { } if SMTPAuthFile != "" { + SMTPAuthFile = filepath.Clean(SMTPAuthFile) + if !isFile(SMTPAuthFile) { return fmt.Errorf("[smtp] password file not found: %s", SMTPAuthFile) } @@ -324,8 +334,10 @@ func parseRelayConfig(c string) error { return nil } + c = filepath.Clean(c) + if !isFile(c) { - return fmt.Errorf("[smtp] relay configuration not found: %s", SMTPRelayConfigFile) + return fmt.Errorf("[smtp] relay configuration not found: %s", c) } data, err := os.ReadFile(c) diff --git a/internal/linkcheck/status.go b/internal/linkcheck/status.go index 102f619..e3b59c8 100644 --- a/internal/linkcheck/status.go +++ b/internal/linkcheck/status.go @@ -63,7 +63,7 @@ func doHead(link string, followRedirects bool) (int, error) { tr := &http.Transport{} if config.AllowUntrustedTLS { - tr.TLSClientConfig = &tls.Config{InsecureSkipVerify: true} + tr.TLSClientConfig = &tls.Config{InsecureSkipVerify: true} // #nosec } client := http.Client{ diff --git a/internal/logger/logger.go b/internal/logger/logger.go index ca21348..5e00dae 100644 --- a/internal/logger/logger.go +++ b/internal/logger/logger.go @@ -5,6 +5,7 @@ import ( "encoding/json" "fmt" "os" + "path/filepath" "regexp" "github.com/sirupsen/logrus" @@ -39,7 +40,7 @@ func Log() *logrus.Logger { } if LogFile != "" { - file, err := os.OpenFile(LogFile, os.O_CREATE|os.O_WRONLY|os.O_APPEND, 0664) + file, err := os.OpenFile(filepath.Clean(LogFile), os.O_CREATE|os.O_WRONLY|os.O_APPEND, 0664) // #nosec if err == nil { log.Out = file } else { diff --git a/internal/storage/database.go b/internal/storage/database.go index 22b7584..3e239e0 100644 --- a/internal/storage/database.go +++ b/internal/storage/database.go @@ -712,7 +712,9 @@ func DeleteAllMessages() error { vacuumDb() dbLastAction = time.Now() - SettingPut("DeletedSize", "0") + if err := SettingPut("DeletedSize", "0"); err != nil { + logger.Log().Warnf("[db] %s", err.Error()) + } logMessagesDeleted(total) diff --git a/internal/storage/search.go b/internal/storage/search.go index db41826..8068521 100644 --- a/internal/storage/search.go +++ b/internal/storage/search.go @@ -160,21 +160,21 @@ func DeleteSearch(search string) error { delIDs[i] = id } - sqlDelete1 := `DELETE FROM mailbox WHERE ID IN (?` + strings.Repeat(",?", len(ids)-1) + `)` + sqlDelete1 := `DELETE FROM mailbox WHERE ID IN (?` + strings.Repeat(",?", len(ids)-1) + `)` // #nosec _, err = tx.Exec(sqlDelete1, delIDs...) if err != nil { return err } - sqlDelete2 := `DELETE FROM mailbox_data WHERE ID IN (?` + strings.Repeat(",?", len(ids)-1) + `)` + sqlDelete2 := `DELETE FROM mailbox_data WHERE ID IN (?` + strings.Repeat(",?", len(ids)-1) + `)` // #nosec _, err = tx.Exec(sqlDelete2, delIDs...) if err != nil { return err } - sqlDelete3 := `DELETE FROM message_tags WHERE ID IN (?` + strings.Repeat(",?", len(ids)-1) + `)` + sqlDelete3 := `DELETE FROM message_tags WHERE ID IN (?` + strings.Repeat(",?", len(ids)-1) + `)` // #nosec _, err = tx.Exec(sqlDelete3, delIDs...) if err != nil { diff --git a/internal/updater/updater.go b/internal/updater/updater.go index 6c5d2f5..da83201 100644 --- a/internal/updater/updater.go +++ b/internal/updater/updater.go @@ -178,8 +178,8 @@ func GithubUpdate(repo, appName, currentVersion string) (string, error) { } if runtime.GOOS != "windows" { - /* #nosec G302 */ - if err := os.Chmod(newExec, 0755); err != nil { + err := os.Chmod(newExec, 0755) // #nosec + if err != nil { return "", err } } diff --git a/server/handlers/proxy.go b/server/handlers/proxy.go index 0dd360b..33557c6 100644 --- a/server/handlers/proxy.go +++ b/server/handlers/proxy.go @@ -35,7 +35,7 @@ func ProxyHandler(w http.ResponseWriter, r *http.Request) { tr := &http.Transport{} if config.AllowUntrustedTLS { - tr.TLSClientConfig = &tls.Config{InsecureSkipVerify: true} + tr.TLSClientConfig = &tls.Config{InsecureSkipVerify: true} // #nosec } client := &http.Client{ @@ -108,7 +108,9 @@ func ProxyHandler(w http.ResponseWriter, r *http.Request) { // relay status code - WriteHeader must come after Header.Set() w.WriteHeader(resp.StatusCode) - w.Write(body) + if _, err := w.Write(body); err != nil { + logger.Log().Warnf("[proxy] %s", err.Error()) + } } // AbsoluteURL will return a full URL regardless whether it is relative or absolute diff --git a/server/server.go b/server/server.go index 7f601d8..5415838 100644 --- a/server/server.go +++ b/server/server.go @@ -13,6 +13,7 @@ import ( "strings" "sync/atomic" "text/template" + "time" "github.com/axllent/mailpit/config" "github.com/axllent/mailpit/internal/auth" @@ -94,12 +95,18 @@ func Listen() { logger.Log().Infof("[http] starting on %s", config.HTTPListen) + server := &http.Server{ + Addr: config.HTTPListen, + ReadTimeout: 30 * time.Second, + WriteTimeout: 30 * time.Second, + } + if config.UITLSCert != "" && config.UITLSKey != "" { logger.Log().Infof("[http] accessible via https://%s%s", logger.CleanHTTPIP(config.HTTPListen), config.Webroot) - logger.Log().Fatal(http.ListenAndServeTLS(config.HTTPListen, config.UITLSCert, config.UITLSKey, nil)) + logger.Log().Fatal(server.ListenAndServeTLS(config.UITLSCert, config.UITLSKey)) } else { logger.Log().Infof("[http] accessible via http://%s%s", logger.CleanHTTPIP(config.HTTPListen), config.Webroot) - logger.Log().Fatal(http.ListenAndServe(config.HTTPListen, nil)) + logger.Log().Fatal(server.ListenAndServe()) } } diff --git a/server/smtpd/smtp.go b/server/smtpd/smtp.go index 45d741d..25f20bb 100644 --- a/server/smtpd/smtp.go +++ b/server/smtpd/smtp.go @@ -54,7 +54,7 @@ func Send(from string, to []string, msg []byte) error { defer c.Close() if config.SMTPRelayConfig.STARTTLS { - conf := &tls.Config{ServerName: config.SMTPRelayConfig.Host} + conf := &tls.Config{ServerName: config.SMTPRelayConfig.Host} // #nosec conf.InsecureSkipVerify = config.SMTPRelayConfig.AllowInsecure